-.TP
-\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0)
-The ethertap or tun/tap device to use. tinc will automatically detect what
-kind of tapdevice it is.
-Note that you can only use one device per
-daemon. The info pages of the tinc package contain more information
-about configuring an ethertap device for Linux.
-.PP
-.SH "HOST CONFIGURATION FILES"
-The host configuration files contain all information needed to establish a
-connection to those hosts. A host configuration file is also required for the
-local tinc daemon, it will use it to read in it's listen port, public key and
-subnets.
-
-The idea is that these files are ``portable''. You can safely mail your own host
-configuration file to someone else. That other person can then copy it to his
-own hosts directory, and now his tinc daemon will be able to connect to your
-tinc daemon. Since host configuration files only contain public keys, no secrets
-are revealed by sending out this information.
-.PP
-.TP
-\fBAddress\fR = <\fIIP address\fR> (required)
-The real address or hostname of this tinc daemon.
-.TP
-\fBPort\fR = <\fIport number\fR> (655)
-The port on which this tinc daemon is listening for incoming connections.
-.TP
-\fBPublicKey\fR = <\fIkey\fR>
-The public RSA key of this tinc daemon. It will be used to cryptographically
-verify it's identity and to set up a secure connection.
-.TP
-\fBPublicKeyFile\fR = <\fIfilename\fR>
+.El
+.Sh HOST CONFIGURATION FILES
+The host configuration files contain all information needed
+to establish a connection to those hosts.
+A host configuration file is also required for the local tinc daemon,
+it will use it to read in it's listen port, public key and subnets.
+.Pp
+The idea is that these files are portable.
+You can safely mail your own host configuration file to someone else.
+That other person can then copy it to his own hosts directory,
+and now his tinc daemon will be able to connect to your tinc daemon.
+Since host configuration files only contain public keys,
+no secrets are revealed by sending out this information.
+.Bl -tag -width indent
+.It Va Address Li = Ar address Bq recommended
+The IP address or hostname of this tinc daemon on the real network.
+This wil only be used when trying to make an outgoing connection to this tinc daemon.
+Multiple
+.Va Address
+variables can be specified, in which case each address will be tried until a working
+connection has been established.
+.It Va Cipher Li = Ar cipher Pq blowfish
+The symmetric cipher algorithm used to encrypt UDP packets.
+Any cipher supported by OpenSSL is recognised.
+Furthermore, specifying
+.Qq none
+will turn off packet encryption.
+.It Va Compression Li = Ar level Pq 0
+This option sets the level of compression used for UDP packets.
+Possible values are 0 (off), 1 (fast) and any integer up to 9 (best).
+.It Va Digest Li = Ar digest Pq sha1
+The digest algorithm used to authenticate UDP packets.
+Any digest supported by OpenSSL is recognised.
+Furthermore, specifying
+.Qq none
+will turn off packet authentication.
+.It Va IndirectData Li = yes | no Pq no
+This option specifies whether other tinc daemons besides the one you specified with
+.Va ConnectTo
+can make a direct connection to you.
+This is especially useful if you are behind a firewall
+and it is impossible to make a connection from the outside to your tinc daemon.
+Otherwise, it is best to leave this option out or set it to no.
+.It Va MACLength Li = Ar length Pq 4
+The length of the message authentication code used to authenticate UDP packets.
+Can be anything from
+.Qq 0
+up to the length of the digest produced by the digest algorithm.
+.It Va Port Li = Ar port Pq 655
+The port number on which this tinc daemon is listening for incoming connections.
+.It Va PublicKey Li = Ar key Bq obsolete
+The public RSA key of this tinc daemon.
+It will be used to cryptographically verify it's identity and to set up a secure connection.
+.It Va PublicKeyFile Li = Ar filename Bq obsolete